On Sun, Jan 20, 2013 at 02:24:36PM -0500, Dmitri Pal wrote:
> On 01/20/2013 05:01 AM, MaSch wrote:
> > On 1/19/13 8:16 PM, Dmitri Pal wrote:
> >> What is the situation with the time on that box?
> >> Was the time and time zone set correctly?
> >> Is it a VM?
> >> Can it be that the time drifted in some way?
> >>
> > The time zone is correct for my region (Europe/Berlin) as is the current 
> > time.
> > It is a VM - running inside VMware Fusion 4 on OSX.
> > I doubt that time drifted in between somehow in an unsual manner. I just 
> > tried again and checked :
> >
> > [root@ipa-server user]# klist
> > Ticket cache: 
> > DIR::/run/user/1000/krb5cc_1f3f8ebeec8d053aa0a2f46e50fbb20c/tkt5LELnl
> > Default principal: admin@MATRIX.LOCAL
> >
> > Valid starting     Expires            Service principal
> > 01/20/13 10:47:56  01/21/13 10:47:56  krbtgt/MATRIX.LOCAL@MATRIX.LOCAL
> > [root@ipa-server user]# date
> > Sun Jan 20 10:51:07 CET 2013
> > [root@ipa-server user]# ipa-adtrust-install --netbios-name=MATRIX -a 
> > mypassword1
> > ...
> > Outdated Kerberos credentials. Use kdestroy and kinit to update your ticket
> > [root@ipa-server user]# date
> > Sun Jan 20 10:51:12 CET 2013
> >
> > So the "ipa-adtrust-install" is issued while the krbtgt is valid. However 
> > as before kdestroy and subsequent kinit don't
> > help.
> 
> Then it might be that the tgt is actually missing something that AD 2012
> is now expecting and it is triggering a wrong message.
> Please file a ticket or BZ.

This is not related to AD because it is still the step before
establishing the trust as Marco said below. The message "Outdated
Kerberos credentials. Use kdestroy and kinit to update your ticket"
indicate that we failed to connect to the local LDAP server. Maybe a
ticket should be filed to mention the local LDAP server in the message?

Marco, have you tried to run ipa-adtrust-install without the -a option?
Can you try access your local LDAP server with:

# kinit admin
# ldapsearch -H ldap://ipa-server.matrix.local -Y GSSAPI -b \
  'dc=matrix,dc=local' -s base

bye,
Sumit

> 
> >
> > On 1/19/13 10:44 PM, Dale Macartney wrote:
> >> Critical pre-req is definitely make sure DNS resolution is working in
> >> advance. Its always a killer.
> >>
> >> If you use IPA managed DNS, use the following.
> > Thanks for the pointer Dale, but I don't even get that far to do the actual 
> > trust. And as far as I can tell, DNS is
> > setup correct locally. The resolv.conf points to the IPA server itself 
> > (this is automatically changed during
> > installation), atm no forwarding is done and dns resolution of the 
> > ipa-server and ipa-domain work on the ipa-server itself.
> >
> > Regards Marco
> >
> >
> >
> >> On 01/19/2013 01:25 PM, MaSch wrote:
> >>> Hello all,
> >>>
> >>> I'm trying to setup FreeIPA on Fedora 18 (Final) with AD integration on a 
> >>> test server. However I do not even get past
> >>> the initial (local) steps described in : 
> >>> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Add_trust_with_AD_domain
> >>> The last step of the section "Install and configure IPA server" gives me 
> >>> the following error :
> >>>
> >>> "Outdated Kerberos credentials. Use kdestroy and kinit to update your 
> >>> ticket"
> >>>
> >>> However "kdestroy" followed by a consequent "kinit admin" does not help, 
> >>> I get the error again when trying
> >>> to "ipa-adtrust-install"
> >>>
> >>> The ipaserver-install.log says :
> >>> 2013-01-19T17:19:56Z DEBUG stderr=
> >>> 2013-01-19T17:19:56Z DEBUG will use ip_address: 172.16.135.141
> >>>
> >>> 2013-01-19T17:19:56Z DEBUG Starting external process
> >>> 2013-01-19T17:19:56Z DEBUG args=kinit admin
> >>> 2013-01-19T17:19:57Z DEBUG Process finished, return code=0
> >>> 2013-01-19T17:19:57Z DEBUG stdout=Password for admin@MATRIX.LOCAL:
> >>>
> >>> 2013-01-19T17:19:57Z DEBUG stderr=
> >>> 2013-01-19T17:19:57Z INFO   File 
> >>> "/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py", 
> >>> line 617, in
> >>> run_script
> >>>     return_value = main_function()
> >>>
> >>>   File "/usr/sbin/ipa-adtrust-install", line 304, in main
> >>>     sys.exit("Outdated Kerberos credentials. Use kdestroy and kinit to 
> >>> update your ticket")
> >>>
> >>> 2013-01-19T17:19:57Z INFO The ipa-adtrust-install command failed, 
> >>> exception: SystemExit: Outdated Kerberos credentials.
> >>> Use kdestroy and kinit to update your ticket
> >>>
> >>> ______________________________________________________________________________________________________
> >>>
> >>>
> >>> I tried to follow the instructions and stick to the plan - here is the 
> >>> history of commands I executed on an fresh Fedora
> >>> 18 Installation (after installing vmware tools in the vm) (long output is 
> >>> omitted and replaced by ...) :
> >>>
> >>>
> >>> [root@linux user]# yum update -y
> >>> ...
> >>> [root@linux user]# reboot
> >>> [root@linux user]# yum install -y "*ipa-server" "*ipa-server-trust-ad" 
> >>> samba4-winbind-clients samba4-winbind
> >>> samba4-client bind bind-dyndb-ldap
> >>> ...
> >>> [root@linux user]# echo "172.16.135.141    ipa-server.matrix.local 
> >>> ipa-server" >> /etc/hosts
> >>> [root@linux user]# hostname ipa-server.matrix.local
> >>> [root@linux user]# hostname
> >>> ipa-server.matrix.local
> >>> [root@linux user]# ping ipa-server.matrix.local
> >>> PING ipa-server.matrix.local (172.16.135.141) 56(84) bytes of data.
> >>> 64 bytes from ipa-server.matrix.local (172.16.135.141): icmp_seq=1 ttl=64 
> >>> time=0.058 ms
> >>> [root@linux user]# ipa-server-install -a mypassword1 -p mypassword2 
> >>> --domain=matrix.local --realm=MATRIX.LOCAL
> >>> --setup-dns --no-forwarders -U
> >>> ... setup completes without errors
> >>> [root@linux user]# kinit admin
> >>> Password for admin@MATRIX.LOCAL:
> >>> [root@linux user]# klist
> >>> Ticket cache: 
> >>> DIR::/run/user/1000/krb5cc_c9794d10f5cd59bd63c423ac50fad257/tktT3hTsU
> >>> Default principal: admin@MATRIX.LOCAL
> >>>
> >>> Valid starting     Expires            Service principal
> >>> 01/19/13 12:19:06  01/20/13 12:19:02  krbtgt/MATRIX.LOCAL@MATRIX.LOCAL
> >>> [root@linux user]# id admin
> >>> uid=1396400000(admin) gid=1396400000(admins) groups=1396400000(admins)
> >>> [root@linux user]# getent passwd admin
> >>> admin:*:1396400000:1396400000:Administrator:/home/admin:/bin/bash
> >>> [root@linux user]# ipa-adtrust-install --netbios-name=MATRIX -a 
> >>> mypassword1
> >>> The log file for this installation can be found in 
> >>> /var/log/ipaserver-install.log
> >>> ==============================================================================
> >>> This program will setup components needed to establish trust to AD 
> >>> domains for
> >>> the FreeIPA Server.
> >>>
> >>> This includes:
> >>>   * Configure Samba
> >>>   * Add trust related objects to FreeIPA LDAP server
> >>>
> >>> To accept the default shown in brackets, press the Enter key.
> >>>
> >>>
> >>> The following operations may take some minutes to complete.
> >>> Please wait until the prompt is returned.
> >>>
> >>> Outdated Kerberos credentials. Use kdestroy and kinit to update your 
> >>> ticket
> >>>
> >>> ______________________________________________________________________________________________________
> >>>
> >>> The freeipa packages installed are :
> >>>
> >>> freeipa-server-trust-ad-3.1.0-2.fc18.x86_64
> >>> freeipa-python-3.1.0-2.fc18.x86_64
> >>> freeipa-server-selinux-3.1.0-2.fc18.x86_64
> >>> freeipa-admintools-3.1.0-2.fc18.x86_64
> >>> freeipa-server-3.1.0-2.fc18.x86_64
> >>> freeipa-client-3.1.0-2.fc18.x86_64
> >>>
> >>>
> >>> Any help would be appreciated, perhaps I'm just missing a simple step.
> >>>
> >>>
> >>> Regards
> >>> Marco
> >>>
> >>> _______________________________________________
> >>> Freeipa-users mailing list
> >>> Freeipa-users@redhat.com
> >>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users@redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> 
> -- 
> Thank you,
> Dmitri Pal
> 
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
> 
> 
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
> 
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to